Hi rob
I don't know anything about kerberizing postgres but I would guess that you created a service keytab for psql, is that right?
Yes i have created a service keytab for postgres .

Check the permissions of the keytab. Permission denied usually means that the server can't read its own keytab.

Thank you.
You were right. I have changed the file ownership to set the postgres user as file owner and i don't have the
permission denied message anymore :)

If this doesn't fix it can you outline what you've done so far in configuring psql?
I walk forward in the configuration, but there is always some issues that i don't understand... but they are closest to
postgres than kerberos.
I have configured a user called jeradm in postgres and created a principal in freeipa/kerberos called jer...@myipa.org.
I need to do (starting from an other user account) :
    su - jeradm;
    kinit jeradm;
    psql -d postgres -h ipa0

to connect to the database with the jeradm account.

If i stay as the root user system and do :
    kinit jeradm;
    psql -d postgres -h ipa0

Postgresql prevent me from connecting to the database and in the log i have messages like
    [ipa0][postgres] FATAL:  GSSAPI authentication failed for user "root"
[ipa0][postgres] LOG: provided username (root) and authenticated username (jeradm) don't match

In my rookie comprehension of kerberos, psql will have to use my ticket to identify the user to use for connection... but
it keep using my current linux user account ...

I think that i haved missed something....

Thank you Rob :)


Freeipa-users mailing list

Reply via email to